@ Looker (and your alter-ego 'SecuritySolution' as well)First off, you pretty much owe me $500 by the terms of your offer. Period.But being the _extremely_ nice guy that I am, I'll let that slide for the moment while we discuss much more serious matters.OpenPGP and Gnu Privacy Guard (GPG) are subject to manipulable short ID collisions, as announced on 26 December 2011 on asheesh.org.How are you going to mitigate this collision attack on your collection of 'signed trusted keys'?How can you prove (hint, you can't) that keys that you've signed the short ID's of, are in fact the correct keys and not intentional collisions masquerading as valid keys?If you now audit your collection of signed keys, what is you standard method of key revocation, and how can you revoke short ID digital sigs on existing keys?What secure keyserver does your programs check for key validity confirmation and possible revocations?Finally, how are you going to go about recalling and repairing existing instantiations of your offering?The news the above is based upon is over 24 hours old, so would your best practices suggest that anyone that uses your product immediately cease to do so until you have created and tested a patch/replacement?Or is your plan to just let folks mosey along using your product, with no clue whatsoever of the problem?In case you weren't counting, that's seven questions that could severely impact the security of anyone using your setup, so I'm going to be expecting seven exacting, precise and verbose responses to them.*Oh yeah, Merry Christmas!